2.2 Managing the Ksplice Enhanced Client With the ksplice Command

You manage the Ksplice Enhanced client by using the
ksplice command instead of the
uptrack commands that are used with the
traditional Ksplice client. The ksplice command
enables you to perform user-space patching, in addition to kernel
patching.

To display the running user-space processes that the client can
patch, use the ksplice all list-targets
command:

The command reports both the updates that have been applied to
running processes and to the kernel. In this example, Ksplice has
applied updates for CVE-2014-7817 and
CVE-2015-1781 to all of the listed processes.

To restrict the scope of the ksplice command to
user-space updates or kernel updates, specify
user or kernel instead of
all with the command.

To restrict the ksplice command to just the Xen
hypervisor, specify xen instead of
all with the command.

To display the updates that have been applied to a process
specified by its PID, use the
--pid=PID option
with the ksplice user show command:

Ksplice patches are stored in
/var/cache/uptrack. Following a reboot, Ksplice
automatically re-applies these patches very early in the boot
process before the network is configured, so that the system is
hardened before any remote connections can be established.

To list the available Ksplice updates, use the
upgrade subcommand as follows:

# ksplice -n kernel upgrade

To install all available Ksplice updates, use the
upgrade subcommand as follows:

# ksplice -y user upgrade

To list the available Ksplice updates for the Xen hypervisor, use
the upgrade subcommand as follows:

# ksplice -n xen upgrade

After Ksplice applies updates to a running kernel, the kernel has
an effective version that is different from the original boot
version displayed by the uname -a command. Use
the ksplice kernel uname -r command to display
the effective version of the kernel:

# ksplice kernel uname -r
3.8.13-55.1.1.el6uek.x86_64

The ksplice kernel uname command supports the
commonly used uname flags, including
-a and -r, and provides a
way for applications to detect that the kernel has been patched.
The effective version is based on the version number of the latest
patch that Ksplice Uptrack has applied to the kernel.

To view the updates that Ksplice Uptrack has made to the running
kernel:

# ksplice kernel show

To view the updates that Ksplice Uptrack has made to the Xen
hypervisor:

# ksplice xen show

To view the updates that are available to be installed:

# ksplice kernel show --available

To remove all updates from the kernel:

# ksplice kernel remove --all

To remove all updates from the Xen hypervisor:

# ksplice xen remove --all

To prevent Ksplice from reapplying the updates at the next system
reboot, create the empty file
/etc/uptrack/disable:

# touch /etc/uptrack/disable

Alternatively, specify nouptrack as a parameter
on the boot command line when you next restart the system.

For more information about using the ksplice
command, see the ksplice(8) man page.